IDP proxy - attribute
Cantor, Scott
cantor.2 at osu.edu
Fri Aug 14 17:10:47 UTC 2020
On 8/14/20, 12:55 PM, "users on behalf of Jerry Bailie" <users-bounces at shibboleth.net on behalf of jebailie at vassar.edu> wrote:
> Stating a different way, the aim is to 'passthrough' an attribute from the proxy to the SP.
That isn't a different way, that's the question I answered.
> For example, surname (which is released by the proxy and can be found in the SAML).
if the attribute is named in accordance with the standards, then the existing rules work. If it is not, then you either fix it so that it is if you control the IdP, you tell somebody else to fix it, or you add custom rules to map the made-up naming used by the IdP to produce the internal attribute ID you want to operate on.
"sn" is the standard internal ID for the data you're calling surname and the standard name for that in SAML is the URI-format name "urn:oid:2.5.4.4" (that's the Attribute Name and the NameFormat MUST be "urn:oasis:names:tc:SAML:2.0:attrname-format:uri")
And that's what the default rule is in conf/attributes/inetOrgPerson.xml
etc for eduPersonScopedAffiliation and any other attributes with default rules defined.
And you can't use different internal names and have them to work out of the box. If you don't use the conventional IDs for the attributes within the system (e.g. using surname instead of sn) then that also adds friction and custom configuration requirements.
-- Scott
More information about the users
mailing list